ā12-07-2016 11:54 AM - edited ā03-08-2019 08:29 AM
Hi,
I've attached a picture of the topology for my problem.
DHCP Snooping and DAI is configured on the 3 switches (it's on switch L3 because hosts are also connected) for vlan 1 and 30 and the trunk ports are trusted.
The problem is that pc1 can't reach any other vlan when DAI is enabled for vlan 1 on Switch L3. All other devices are working well.
If I disable DAI on vlan 1 on switch L3, pc1 can reach everybody.
If I disable DAI on vlan 1 on switch L3, pc1 can reach the interface vlan 1 of sw1 and pc4 and pc1 and pc2. But NOT interface vlan 1 on switch L3 172.17.1.1 and devices on other vlans.
The DHCP binding of pc1 is in the snooping binding databse of sw1. The ports between the switches are all trusted. The ports connected to the pcs have all the same configuration. The problem doesn't exist for the phones, even the phone of pc1.
I don't understand why the packets can go from pc1 to pc4 for example, because they have to go through switch L3, so they are accepted by the switch (furthermore DAI is trusted on the trunks). And they can't pass to another vlan with DAI enabled. Seems like they can come into the switch but not over interface vlan 1, AND JUST FOR ONE PC.
The conf is simple on switch L3, no ip arp inspection validate, ip arp inspection trust (on trunk ports), ip arp inspection vlan 1, ip arp inspection vlan 30
The problem is solved with no ip arp inspection vlan 1
CONFIG :
SW1 trunk with L3 :
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,29,30,70,80,252,262
switchport mode trunk
ip arp inspection trust
speed nonegotiate
ip dhcp snooping trust
end
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,29,30,70,80,252,262
switchport mode trunk
ip arp inspection trust
speed nonegotiate
channel-group 1 mode on
ip dhcp snooping trust
end
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,29,30,70,80,252,262
switchport mode trunk
ip arp inspection trust
speed nonegotiate
channel-group 1 mode on
ip dhcp snooping trust
end
Int f0/11 has the device with the issue and fa0/13 a device working :
interface FastEthernet0/11
description ***IP Phone + PC***
switchport mode access
switchport nonegotiate
switchport voice vlan 30
priority-queue out
mls qos trust device cisco-phone
mls qos trust dscp
spanning-tree portfast
spanning-tree bpduguard enable
end
interface FastEthernet0/13
description ***IP Phone + PC***
switchport mode access
switchport nonegotiate
switchport voice vlan 30
priority-queue out
mls qos trust device cisco-phone
mls qos trust dscp
spanning-tree portfast
spanning-tree bpduguard enable
end
Int vlan 1 of L3 :
interface Vlan1
description SSIT
ip address 172.17.1.1 255.255.0.0
no ip redirects
ip pim sparse-dense-mode
end
Int between L3 and sw1 :
interface GigabitEthernet2/0/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,29,30,70,80,252,262
switchport mode trunk
ip arp inspection trust
speed nonegotiate
channel-group 12 mode on
ip dhcp snooping trust
end
interface GigabitEthernet1/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,29,30,70,80,252,262
switchport mode trunk
ip arp inspection trust
speed nonegotiate
channel-group 12 mode on
ip dhcp snooping trust
end
interface Port-channel12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,29,30,70,80,252,262
switchport mode trunk
ip arp inspection trust
speed nonegotiate
ip dhcp snooping trust
end
The show ip arp inspection files are attached.
Looks like that's not DAI that blocks the packet but when I disable it it's working well!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide